Query Details
Known Bad Hash Process Detection
Query
//This query identifies processes matching known malicious file hashes //Adjust hash list based on your threat intelligence let badHashes = dynamic(["hash1", "hash2", "hash3"]); // Replace with actual bad hashes DeviceProcessEvents | where Timestamp between (ago(7d) .. now()) | where SHA1 in (badHashes) | project Timestamp, DeviceName, FileName, SHA1, ProcessCommandLine, InitiatingProcessAccountName | sort by Timestamp desc
Explanation
This query is designed to find and list processes on devices that match a set of known malicious file hashes. Here's a breakdown of what it does:
-
Define Malicious Hashes: It starts by creating a list of known bad file hashes (e.g., "hash1", "hash2", "hash3"). You should replace these placeholders with actual malicious hashes based on your threat intelligence.
-
Search for Matching Processes: It searches through the
DeviceProcessEventsdata to find any processes that have run in the last 7 days (ago(7d) .. now()) and have a SHA1 hash that matches one of the hashes in thebadHasheslist. -
Select Relevant Information: For each matching process, it selects and displays specific details: the time the process was observed (
Timestamp), the name of the device where it ran (DeviceName), the name of the file (FileName), the SHA1 hash (SHA1), the command line used to start the process (ProcessCommandLine), and the account name that initiated the process (InitiatingProcessAccountName). -
Sort Results: Finally, it sorts the results by the timestamp in descending order, so the most recent events appear first.
In summary, this query helps you identify and investigate potentially malicious processes on your network by comparing their file hashes against a list of known threats.
Details
Nick D.
Released: November 10, 2024
Tables
Keywords
Operators